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Abstract 

In network communications, information transmission often encounters wiretapping attacks. Secure 
network coding is introduced to prevent information from being leaked to adversaries. The investigation 
of performance bounds on the numbers of source symbols and random symbols are two fundamental 
research problems. For an important case that each wiretap-set with cardinality not larger than r, Cai and 
Yeung proposed a coding scheme, which is optimal in the senses of maximizing the number of source 
symbols and at the same time minimizing the number of random symbols. In this letter, we further study 
achievable lower bound on the number of random key and show that it just depends on the security 
constraint, and particularly, is independent to the information amount for transmission. This implies that 
when the number of transmitted source message changes, we can’t reduce the number of random key 
to keep the same security level. We further give an intuitive interpretation on our result. In addition, a 
similar construction of secure linear network codes is proposed, which achieves this lower bound on the 
number of random key no matter how much information is transmitted. At last, we also extend our result 
to imperfect security case. 


Index Terms 

Secure network coding, perfect security, imperfect security, rate of the key, achievability 

I. Introduction 

Network coding allows internal nodes in a communication network to process the received information 
ifTIl . which can maximize multicast throughput of the communication network. Li et al. O further indicated 
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that linear network coding is sufficient for multicast. Jaggi et al. |[3l proposed a deterministic polynomial¬ 
time algorithm for constructing a linear network code (LNC). 

In practical network communications, information transmission is often under wiretapping attacks. 
An eavesdropper is capable of wiretapping on an unknown set of channels in networks. The secure 
network coding was introduced first hy Cai and Yeung 0 to prevent information from being leaked to 
the eavesdropper. In their journal paper l|5l, they proposed the model of a communication system on a 
wiretap network (CSWN) and the idea of secure network coding, where information-theoretic security 
0 (also refer to perfect security) is under consideration, i.e., the mutual information between source 
message and the message available to the eavesdropper is zero. Particularly, a network code is r-secure 
if this eavesdropper can obtain nothing by accessing any r channels. This number r is called security- 
level in this letter. In addition, if it is allowed that the eavesdropper can obtain a controlled amount of 
information about source message, this is called imperfect security. They also proposed a coding scheme 
to construct a secure linear network code (SLNC) with security-level r, and indicated the optimality, that 
is, the constructed SLNCs multicast the maximum possible number of information symbols to sink nodes 
securely and at the same time use the minimum number of random symbols to achieve security-level r 
when the source message is distributed uniformly. Usually, these random symbols are regarded as the 
random key. Subsequently, Feldman et al. 0 derived a tradeoff between the size of source message set 
and code alphabet size. In Q, Rouayheb et al. shows that this secure network coding problem can be 
regarded as a network generalization of the wiretap channel of type II introduced by Ozarow and Wyner 
0. Thus, they presented a construction of SLNCs by using secure codes for wiretap channel II, which 
is actually equivalent to Cai and Yeung’s construction. 

Similar to classical wiretap channel model in ||9l, in our wiretap network model, it is necessary to 
randomize the source message to combat the eavesdropper. Thus, randomness is introduced, which reduces 
the throughput inevitably. Hence, two of fundamental problems in secure network coding theory are the 
performance bounds on the size of source message and the size of random key under the certain security 
constraint. To be specific, on the one hand, we are interested in the maximum size of source message, 
which indicates the maximum number of information symbols allowed to be multicast to sinks from the 
source node securely. On the other hand, we are also interested in the minimum size of random key, 
which describes the minimum number of random symbols injected into networks by the source node 
to guarantee the required security. The former characterizes the effectiveness of SLNCs for information 
transmission and the latter characterizes the cost of SLNCs for the security. In general, the latter is more 
important and necessary since in cryptography randomness is regarded as a resource. 
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In lITOl . Cheng and Yeung investigated the above two fundamental hounds for the general case that the 
collection A of all possible wiretap sets can consist of arbitrary subsets of channels, which perhaps are the 
most general results until now. Cai and Yeung lO also studied these two fundamental bounds for a special 
but very important case that all wiretap sets have cardinalities not larger than a fixed positive integer 
r, in other words, the eavesdropper can access any r channels at most. They designed a construction 
of SLNCs of oj-rate and r-security-level with w + r = Cmin — miiitg'r Ct with Ct being the minimum 
cut capacity between the source s and the sink t, and showed that their construction is optimal in the 
senses of maximizing the number of information symbols and at the same time minimizing the number of 
random symbols. Naturally, a more general problem is proposed: if the number of information symbols 
doesn’t achieve the maximum, what is the minimum number of random symbols to ensure the same 
security requirement. In other words, when we reduce the number of source message to be transmitted, 
whether the number of random key injected into networks can decrease to keep the same security-level. 
The motivation of this problem is natural. For instance, in practical network communications, the source 
often multicasts messages at several different information rates, but the security requirement is unchanged 
because the wiretapping capability of the eavesdropper doesn’t decrease for these distinct information 
rates m. Another example is that sometimes we need different security-levels even if the information rate 
is fixed since the security requirement is probably changed within a session. Therefore, no matter what, 
we always pay attention to the minimum number of random key. In this letter, we give a negative answer 
for the proposed question, that is, even if the source message cannot achieve the allowable maximum, the 
minimum number of random key to ensure the same security won’t decrease. This further implies that 
the minimum number of random symbols injected into networks just depends on the security constraint, 
and independent to other parameterj^- 


II. Main Results 

Let G = {V, E) be a directed acyclic single source multicast network, where V and E are the sets 
of nodes and channels, respectively, and denote by s the single source node. We consider LNCs on this 
network over the base field F^, q a prime power. A direcf edge e = (i, j) G E stands for a channel from 
node i to node j. Node i is called the tail of e and node j is called the head of e, denoted by tail(e) 

'in this letter, we always consider the nontrivial case that the sum of the information rate and the security-level does not 
exceed the minimum cut capacity between the source node and every sink node. 
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and head(e), respectively. For a node z, define 

Out(z) = {e € E : 
In(z) = {e & E : 


tail(e) = i}, 
head(e) = i}. 


We allow parallel channels between two nodes and thus assume reasonably that one field element can 
pass through a channel in one unit time. In defining an n-dimensional (n < Cmin) LNC on G, let In(s) 
consist of n imaginary incoming channels terminating at the source node s, where assume that source 
message is transmitted to s through them. 

Definition 1 (Global Description of An LNC): A Fg-valued re-dimensional LNC on G = {V,E) 
consists of an re-dimensional column vector /g for every channel e ^ E such that: 

1) /e, e G In(s), form the standard basis of F”; 

2) For other channels e € E, 


( 1 ) 


fe 'y ^ ^ci,e ■ fdj 

dGln(tail(e)) 

where G F^ is the local encoding coefficient for the adjacent channel pair (d, e). 

The source s generates the random message M according to uniform distribution on F^ , the message 
set, and a; is the information rate. We request that the source message M is multicast to every sink node 
t gT, the set of sink nodes, while being protected from an eavesdropper who can access any subset of 
channels with cardinality not larger than r, i.e., the security-level is r.^Let the key K be an independent 
random variable according to uniform distribution on the alphabet In order to guarantee security-level 
r, we are interested in the minimum number of the random key such that the message M can be multicast 
from the source node s to all sinks securely. In other words, we are interested in the minimum entropy 
H{K) = log |.^| of the random key K, or equivalently, the minimum value of the cardinality |.^|. 

Definition 2: Define the rate of the key K as: 

H{K) 


rx = 


logq 


Similarly, this rate of the key can also describe the number of random key K. For the minimum entropy 
of the key to guarantee security-level r, the corresponding optimal rate of the key is denoted by 


^It is necessary that r is strictly smaller than the minimum cut capacity Ct between the source node s and every sink node 
t GT, since otherwise an eavesdropper accessing all the channels in a minimum cut between the source node and a sink node 
would obtain all information received by this sink node, and thus, it can decode the source message successfully. 
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A. Perfect Security Case 


Now, we give the main conclusion for the scenario of perfect security. In Q, Cai and Yeung proposed 
a construction to design r-security-level and u) = (Cmin — r) -information-rate LNCs and showed that this 
construction maximizes the number of source symbols and minimizes the number of random symbols. 
This implies that for security-level r, the optimal rate satisfies = r for the case that to + r = Cmin- 
Thus, we just consider the case uj + r < C'min^ or tu < Cmin — f. By partly using their arguments for 
converse part of the proof more delicately and technically, we obtain the result below. 

Theorem 1: Let the required security-level be r. Whatever the information rates u) satisfying lj + r < 
Cmin are, the optimal rate of the key is r. 

Proof: First, recall that G = {V, E) is a single source multicast network. On the one hand, we will 
prove the achievability, i.e., r is sufficient for the rate of the key rx to construct a SLNC with information 
rate a; and security-level r. Hence, in order to show the sufficiency of the key rate r, we want to apply the 
construction in Q to simplify the proof. However, since the summation of both information and key rates 
reaches the network capacity for their construction, we cannot use it directly, and thus, we will modify it 
to adjust to arbitrary allowed information rate by adding a constant vector C to main information vector. 
Construction: 

1) For the network G, construct an n = Cmin dimensional LNC C of global description {/e : e E i?} 
(e.g. Jaggi et al.’s algorithm 131): 

2) Choose n linearly independent Fg-valued n-column vectors bi,b 2 ,- " ,bn satisfying the condition: 

({6i : 1 < z < n - r}) n {{fe : e E A}) = {0} (2) 


for all channel-sets A ^ Er = {A C E : |A| = Rank(Fyi) = r} with Fa = [^ : e E A]. Then 
define an n x n invertible matrix Q = bi $2 ■ ■ ■ K, 

3) Let the information rate and the security-level be io and r, respectively, which satisfy io + r < n. 
The source message M is randomly chosen from according to uniform distribution, while the 
independent random key K is distributed uniformly on F^. Let X = [M G K] he the input of 
the network G, where C is a constant {n — uj — r)-dimensional row vector c. For convenience of 
analysis, we also regard C as a random variable with probability Pr{C = c) = 1. Furthermore, let 
the outcome m of M be an cu-row vector in F^ , and the outcome fc of iT be an r-row vector in 
F-. 


4) Encode the vector X by transmitting in each channel e the value XQ ^/e. 
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In im, the authors have shown that {Q ^/e : e E E} constitutes a global description of an n- 
dimensional SLNC, which can decode every input [m c ^ successfully and satisfy the security requirement 
H{M,C\Ya) = H{M,C) = H{M), further implying H{M\Ya) = H{M,C\Ya) = H{M), for any 
channel-suhset A with cardinality not larger than r. Thus, we show that the optimal key rate doesn’t 
exceed r, i.e., < r. 

On the other hand, we will prove that the optimal key rate is lower hounded hy r, i.e., > r, or 

equivalently, H{K) > rlogq. Let and clearly, 0. Then there exists an injection 

(f) from the set of the key to the vector space . Further, according to this injection mapping (j), any 
output /c in is transformed to a Fg-valued -dimensional row vector k, that is, (/>(A:) = k. Further, we 
have 

w + < a; + < tu + r < C*min- 

Let CUT he an arbitrary channel-cut between the source node s and the sink node t, and clearly, 

\CUT\>Crn^>UJ + f*K. 

Since the considered network code is linear, there must exist \CUT\ {uj + f|^)-column vectors /e, e E 
CUT, such that 

[M K]- Four = Ycut, 

where Fb = [fe '■ e G B] and Yg = [F^e ^ e E i?] for any channel-set BYE. 

Furthermore, since Rank(Fc[/'r) < tu -|- f*j^, there exists at least one channel-set U C CUT with 
\U\ = UJ + such that 

Rank(F[/) = Rank(Fc'f/'r), 

and one has 

[M K]-Fu = Yu. (3) 

In addition, at the sink node t G T, one has the decoding equation: 

[M K] ■ 

^Notice that /e and Ye may not be the global encoding kernel of the channel e and the observation transmitted on the channel 
e, e.g., in the proof of the achievability. But they are determined exactly provided that the corresponding global encoding kernel 
and the observation on the channel are obtained. Thus, we still use the same symbols to represent them, and this abuse of 
notation should cause no ambiguity. 
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and the relationship 

{Fin{t)) C (Fcut) = (Fu), 

where (Fb) = {{fe ■ e € B}) for any channel-set B ^ E. Hence, there exists a \U\ x |In(f)| = 
(w -|- X |In(f)| matrix P such that 

Fu ■ P = . 

Consequently, multiplying both sides of the equality ([3]) hy P yields 

[M K]-Fu-P = [M K]- =Yu-P, 

and the last equality implies that 

p(yin(i)|yt/) = o. (4) 

Note that the sink node t can recover the message M with no error, which further leads to = 

0. Together with the equality (|4ll, it follows that H{M\Yu) = 0. Thus, for any J C U with |J| = r, we 
obtain 

H{M) = HiM\Yu) + IiM-,Yu) 

= I{M-Yu) (5) 

= I{M;Yu\j,Yj) 

= I{Yj-M)+I{Yu\j;M\Yj) 

= I{Yu\j-,M\Yj), (6) 

where the equality dS]) follows from P[{M\Yu) = 0, and the equality ® follows from the requirement 
of security-level r, that is, the eavesdropper accessing any r channels obtains no information about the 
message M. 

Moreover, before discussing further, we need the following lemma (see ||5l Lemma 2] and US). 
Lemma 2: For a subset a of AA = {1, 2, • • • , n}, let a = Af\a and denote (X* : i € a) = Xa- For 
any 1 < r < n, let 

\r—1/ a-.\a\=r 

Then hi < h 2 <■■■ < hn- 
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Recall H{M) = I{Yij\j] M\Yj) for any J C U with | J| = r. Summing over all J C 17 with | J| = r, 
we deduce 


JCU: \J\=r 

: J] [H{Yu\j\Yj) - H{Yu\j\M, Yj)] 

JCU: \J\=r 


JCU: \J\=r 

LO + f*j^- I 


o; + f ^ - r - 1 


1 


Vtj+rJf-r-l/ Jet/: \J\=r 


Y H{Yu\j\Yj) 


<( ^ .)h{Yu), 

\a; + - r - 1/ 

where the last inequality follows from Lemma |2l Hence, 

H{Yu) > ^, 7 /^ . H{M) = 

Vaj+r^—r—1/ ^ 

Therefore, one has H{M) + H{K) > H{M,K) and 


H{M). 


I —^ 

H{M, K) = H{M, K, Yu) > H{Yu) > H{M). 

oj + — r 


Equivalently, 


H{K)> 


-H{M) = 


ruj 


log q. 


(7) 


uj + — r uj + fj^ — r 

Since we have known that r’^ < r, which further implies < r. Together with the inequality (jT), we 
conclude that 


H{K)> 


cor 


uj + r*^-r 


log q > r log q, 


which means that 

,, H{K) rlogg 

Tr = -j- > -j-= r. 

log q log q 

Combining the above proof for two directions, we conclude r*R = r, which completes the proof. ■ 
Remark 3: The above conclusion implies that even if for some reasons the source node gives up a 
part of network capacity or cannot send the maximum number of information symbols, then the number 
of random symbols won’t be reduced. Actually, this can be interpreted intuitively as follows: if we have 
a safe that needs 3 locks to be safe and secure, it does not matter how much plain document you are 
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putting in the safe, the safe still needs 3 locks and 3 keys to he secured. The same understanding applies 
here. 


Actually, the proof of the achievahility in Theorem [T] induces a similar construction of SLNCs with 
security-level r and no matter what the information rates are. Particularly, we can set c = 0, an all zero 
(C'min — uj — r)-row vector for simplify. In addition, it also implies that the cardinality of the Er is 
sufficient for constructing SLNCs. But we can see that Er depends on the underlying LNC and it is hard 
to handle. Naturally, we hope to find anofher lower hound just depending on network topology, even 
though it is possibly looser. We define a new collection of channel-sefs as: E™^ = {A C E : |A| = 
mincut(s, A) = r}, where mincut(s, A) represenfs fhe minimum cuf capacity hefween s and A, clearly 
which just depends on the network topology. Further it is implied that is a new lower hound. 

Proposition 1: % C .E™* and \%\ < |.E™t| < (If).t 

Proof: For every A € Er, we have Rank(Fyi) = r, which implies mincut(s, A) > Rank(Fyi) = r. 
Together with |A| = r, one obtains A E E™^. The second inequality is obvious. ■ 


B. Imperfect Security Case 

The results in the last subsection can be extended to imperfect security case easily. First, we review the 
concept of imperfect security ifT^ p.71], which allows the eavesdropper to obtain a controlled amount of 
information about the source message. Again let A be a collection of all channel-sets with cardinalities not 
larger than r. The perfect security condition I{M-,Ya) = 0 for all A E A is replaced by the imperfect 
security condition I{M;Ya) < ilogq for all A E A (also see Q), where f is a fixed nonnegative 
integer satisfying 0 < f < r. This integer i indicates that how much information can be leaked to the 
eavesdropper, and we call it as imperfect-security-level. For imperfect security, we can still claim that the 
minimum number of random key won’t decrease, no matter how much information can be transmitted 
to sinks. In the following, we state our result. 

Theorem 4: Let the wiretap collection A consist of all channel-sets with cardinalities not larger than r 
and the required imperfect-security-level be i. Whatever the information rates uj satisfying u:-\-r—i < C'min 
or equivalently oj < C'min — r -\- i are, the optimal rate r*^ of the key is r — i. 

The proof of this theorem is closely similar to that of Theorem [U thus omitted. 

"'a better lower bound on field size for SLNCs has been obtained in our previous works. Please refer to fH for more details. 
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III. Conclusion 

In this letter, we focus on the minimum number of random key injected into networks hy the source 
node to prevent information from being leaked to an eavesdropper which can access any r channels at 
most, no matter how much source message is multicast to all sinks. For two cases of perfect and imperfect 
securities, we respectively deduce two minimums and further show that they just depend on the security 
constraint and independent to other parameters. 
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